Article

Security from Every Angle

Your DMS is an often-overlooked asset in your quest to protect your data — and profits.

As you read this, your dealership management system (DMS) is probably working away in the background, silently and efficiently organizing your data and helping you run your business. It may also be automatically sharing data with any number of approved third-party vendors, from those that provide service reminder programs and coupon services to websites that display your vehicle inventory.

These types of data exchanges and system integrations have been part of the dealer technology infrastructure for years. Lately, however, there has been a lot of talk about how to audit and regulate this data movement to comply with data security and finance regulations, without negatively affecting dealer performance. Much of this talk has focused on DMS providers that control which third-party vendors can access a dealer’s data, all in the name of increasing security. But is it really about helping you, the dealer, or is it all for the DMS provider’s profit? And what does it mean for the dealer who prefers to organize their own system structure rather than adopt a ready-made product?

Having a clear understanding of DMS data sharing, the cost of “security” and why an open data market is good for the industry and good for your dealership is critical for future business success.

Market OverviewIncreasingly, various national and state agencies are scrutinizing the security of personal data, especially non-public personal information (NPPI). With the rise of data security breaches, identity theft and other crimes of that nature, it’s no wonder this is the case. For dealers, it means that the era of uncontrolled and unaudited data exchanges appears to be over.

In today’s business climate, you need to be able to demonstrate to the Federal Trade Commission (FTC) and other investigators that you have taken the necessary actions to ensure that all personal data movements are precisely defined, controlled and auditable.

Unfortunately, many DMS providers have taken it upon themselves to implement strict controls or block access to a dealer’s data — ostensibly for “security” or to protect against insidious infiltration of your system. In actuality, it is unclear whether these restrictions are for security, technical, or competitive reasons.

What we do know is that locking down data can negatively affect your business. After all, many believe that carefully monitored open integrations — where dealers can choose the third-party providers that work best for their businesses — are essential to streamline workflows, increase efficiency and ensure access to more comprehensive or more affordable solutions as they become available.

The Cost of ‘Security’Dealers just like you are paying a high price for data control that comes cloaked in the guise of security. This price may include higher third-party licensing fees, the hassle and time of dealing with bureaucratic red tape and even the loss of innovative products that could boost your bottom line and push the entire industry forward. Let’s take each scenario in turn.

Higher Third-Party Licensing Fees: Higher licensing fees may be a direct consequence of a DMS provider locking down your data, but you may not even be aware of it. How is this possible? Because you don’t know how much your provider is charging vendors to access your data. In our experience, vendors are often offered access to a ‘certified’ integration facility at an exorbitant cost. Many of these third-party providers can’t compete, or if they do pony up the fee, they are forced to pass on this excessive cost to dealer clients just like you in the form of higher pricing. As a result, your dealership may be unknowingly paying what amounts to a “data tax” just to work with the vendors of your choice.

Bureaucratic Red Tape: Other DMS providers claim to have an open system, but then bury access behind bureaucratic red tape, or strictly limit the data fields they make accessible. For example, we’ve heard of dealers who must request permission for every data field they want to send to a vendor. This means for every field, a dealer must call the provider’s customer service number, request the fields, go through a supervisor, and so on. With hundreds of data fields, this makes it a Herculean, if not impossible, task. Still other vendors seem to decide arbitrarily which data fields are available to outside vendors. Take customer relationship management (CRM) systems as an example. Many dealers want to use outside CRM vendors because these standalone solutions boast advanced functionality. However, DMS providers often will limit the data these CRM vendors can access because they want to push a dealer to their own in-house CRM tool. This has nothing to do with security and everything to do with competition.

Loss of Innovative Products: Hindering competing products is one of the most nefarious outcomes of DMS “security” because it doesn’t just affect your dealership; it adversely impacts innovation for the entire industry. When DMS vendors charge exorbitant rates for data access, vendors may realize their businesses are no longer sustainable and shut down. This reduces innovation and potentially allows inferior products to move forward, further eroding the support dealers like you need to be successful. Ultimately, all of these actions taken in the name of “security” lead to one outcome: Dealers like you do not have control over your data. As a result, you cannot choose the software that is best for your business or take advantage of new innovations, which negatively impacts performance and profits.

Next StepsSo what can you do to take back control of your dealership data, ensure you can work with the third-party providers of your choice and keep innovation alive and thriving? The first action you can take is to question your current DMS provider. Ask for details of the process third-party vendors must complete to gain access to your data. What is the cost for integration and what data fields are available? If you’re not satisfied with your vendor’s data sharing model, it might be time to consider other options.

As I mentioned in my previous article (“How to Find the Right DMS,” May 2014, Page 20), the thought of going through a DMS conversion is intimidating for many dealers. How can it not be? Implementing a new DMS invariably leads to business disruptions, unsettled employees and long days and nights during the process. However, the potential to work with a truly open DMS that doesn’t charge third-party vendors exorbitant fees or hold your data hostage can reap huge benefits, like lower monthly costs, access to new and innovative technologies and greater efficiencies.

If you do decide to interview new DMS providers, keep true security in mind. Look for providers that take every precaution to safeguard your customers’ highly sensitive NPPI. The vendor should be certified as SSAE 16 (Statement on Standards for Attestation Engagements, No. 16) compliant and adhere to all the statements, which were put in place by the American Institute of Certified Public Accountants (AICPA) for financial reporting for service organizations. This includes both logical and physical security controls audited by a third party.

Ensure the vendor encrypts and masks all Social Security numbers, and consider a hosted system. These types of systems securely store data in a remote cloud server, which is often a more secure environment than a standalone server box in the dealership. This is true especially in light of recent reports of stolen backup tapes, disgruntled employees or intruders hacking systems, and dealership accounting systems being accessed through the dealership firewall, which all expose your customers’ NPPI. Make sure the provider has a program to purge this data within a reasonable timeframe from the customer’s last transaction. We recommend no longer than 90 days.

Once you’re confident in the security of a system, delve into each vendor’s data-sharing model. Open systems will allow you to work with any third-party vendors of your choice, for a reasonable vendor fee. You should be able to add, delete or modify partners and parameters at any time, and in real time.

Of course, with freedom comes responsibility. That is why I strongly encourage you to regularly review and audit all reports. This is one of the best ways to track the providers who are giving or receiving data, and make any needed adjustments quickly and easily.

DMS providers that strictly control who has access to your data hinder your efficiency and your access to a more comprehensive or lower cost solution offered by a third-party vendor. They take away a potential competitive advantage and control over what rightfully belongs to you. Who you turn to for services should be your choice. As long as the market is free and open, more and better solutions will continue to evolve. This is good for the industry and good for your business.

Sharon Kitzman is vice president and general manager of dealer management solutions for Dealertrack Technologies and a DMS development expert. SKitzman@AutoDealerMonthly.com

Featured Jobs

On-the-Point

By Jim Ziegler
The Alpha Dawg charts the brief rise and long fall of Johan de Nysschen, the recently departed president of Cadillac and author of the business plan that effectively crowned Lincoln as the new king of American luxury.